In these examples, ${iot:ClientId} is replaced by the ID of
the client connected to the AWS IoT message broker when the policy is
evaluated. When you use policy variables like ${iot:ClientId},
you can inadvertently open access to unintended topics. For example, if you
use a policy that uses ${iot:ClientId} to specify a topic
filter:

A client can connect using + as the client ID. This would
allow the user to subscribe to any topic matching the topic filter
foo/+/bar. To protect against such security gaps, use the
iot:Connect policy action to control which client IDs are
able to connect. For example, this policy allows only clients whose client
ID is clientid1 to connect: